Introduction
In this document we're walking through a configuration setting up BNG for IPoE and PPPoE. The Setup for this configuration is similar to the setup you can see in the YouTube video for an ip sessions demo.
Problem Description
Detailed description of how to set up the configuration and the options establishing PPPoE and IPoE sessions. Understanding the anatomy of a control policy language.
Setup
Configuration and Explanations
hostname A9K-BNG
radius-server host 3.0.0.38 auth-port 1645 acct-port 1646
!Radius-server definition with ip address and UDP ports it is going to !use.
key 7 045802150C2E
!Secret key for the radius communication
timeout 1
!Maximum time waiting for response
retransmit 1
!Maximum number of times you retransmit the request, after waiting <timeout> time.
!COA server definition
aaa server radius dynamic-author
port 1700
!COA port is standard 1700
client 3.0.0.1 vrf default server-key 7 13061E010803
client 10.86.1.49 vrf default server-key 7 14141B180F0B
!The clients from which we are going to accept a COA Response.
!Attribute definitions that we can reference for the nas-port
!building.
!”MY_AUTH” will take the mac address, circuit ID and remoteIDand
!append them together separated by hash signs. If one of the fields is
!not available, an empty string will be provided for that portion.
!example 0000.1111.2222##remoteid or 0000.2222.1111#circ#remote
!
aaa attribute format MY_AUTH
mac-address plus circuit-id plus remote-id separator #
!
aaa attribute format NAS_PORT_FORMAT
circuit-id plus remote-id separator .
! Nas-port computation for PPPoE(32) and if not pppoe then follow the
! global (non typed) logic
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU
!Set up the XR nas-port-id (attr87) for sessions following the nas-
!port format instructions above.
aaa radius attribute nas-port-id format NAS_PORT_FORMAT
!Set up for AAA usage. Note that we don’t have “aaanew-model” in
!XR. Also “subscriber” is used for BNG. Method “PPP” is used for
!serial PPP.
aaa authorization subscriber default group radius
aaa authentication subscriber default group radius
!DHCP configuration
dhcp ipv4
!specify a profile name and define what method is used, relay, proxy
!or snooping.
profile AutoSelectGiaddr proxy
!Different classes may be defined. This is not necessarily the
!vendor class, but here we can check certain options in the discover
!to selectively set the helper address and giaddr. That last one
!will affect the pool we’re going to use on the dhcp server.
class HardPhone1
match option 60 hex 4861726450686F6E6531 mask 0
!the option 60 is vendor-class followed by a hex string. I chose it
!to match the “class” section from the line above, but that is not
!necessary. The mask defines which bytes are must match and don’t
!cares. Mask of 0 means full match.
helper-address vrf default 81.1.1.2 giaddr10.1.1.254
!
class HardPhone2
match option 60 hex 4861726450686F6E6532 mask 0
helper-address vrf default 81.1.1.2 giaddr172.28.15.254
!
relay information option
relay information policy replace
relay information option remote-id testme
relay information option allow-untrusted
! This configuration above defines the option 82 handling.
! Allow untrustedmeans that we accept dhcp discovers with a 0.0.0.0
! giaddr, which is normally the case when there is no relay between
! the client and the 9k.
Relay information Policy:
Case # | Received Packet Option-82 Suboptions | Configured Option-82 Suboptions | Forwarded Packet Option-82 Suboptions for Full-Option-82 keep | Forwarded Packet Option-82 Suboptions for Individual-Suboption keep | Forwarded Packet Option-82 Suboptions for replace | ||||||||||
1 | “rx-cid” | “rx-rid” | “in-rid” | vpn-id | “rx-cid” | “rx-rid” | “rx-cid” | “rx-rid” | vpn-id | “rx-cid” | “in-rid” | vpn-id | |||
2 | “rx-cid” | “in-rid” | vpn-id | “rx-cid” | “rx-cid” | “in-rid” | vpn-id | “rx-cid” | “in-rid” | vpn-id | |||||
3 | “in-rid” | vpn-id | “in-rid” | vpn-id | “in-rid” | vpn-id | “in-rid” | vpn-id | |||||||
! Define the interfaces and the attached profiles
interface Bundle-Ether100.2 proxy profile AutoSelectGiaddr
interface Bundle-Ether1001.2 proxy profile AutoSelectGiaddr
!
pppoe bba-group X
tag ppp-max-payload minimum 1200 maximum 2000
service selection disable
! PPPoE group definition. Currently there is limited service selection
!support (just matching on service name). The COS values for PPPoE
!control can be defined here and the processing/support for max-
!payload tag. In IOS you could configure the processing of vendor-tags
!and strip them selectively. In XR we always process the tags and we
!always strip them from a PADR
!IP address pool definition
pool vrf default ipv4 POOL
address-range 199.1.1.1 199.1.255.255
!
!The dynamic templates are like IOS virtual-templates. The base !configuration for each session is defined here. L3 features as well !as PPP specific parameters are defined here.
dynamic-template
type ppp TPL
ppp authentication chap
ppp ipcp dns 1.2.3.4 1.2.3.3
ppp ipcp peer-address pool POOL
ipv4 unnumbered Loopback1000
!
type ipsubscriberIPSUB
ipv4 unnumbered Loopback12
ipv4 access-group IPSUB_FAIL_ACL ingress
ipv4 access-group IPSUB_FAIL_ACL egress
!Few ACL definitions referenced in the radius profile, qos class-maps
!or in the dynamic template.
ipv4 access-list PERM_ALL
10 permit ipv4 any any
20 permit icmp any any
!
ipv4 access-list lab-video
20 permit udp any any eq 5544
30 permit udp host 49.1.1.2 any
!
ipv4 access-list IPSUB_FAIL_ACL
5 permit icmp any any
10 permit tcp any host 49.1.1.2 eqwww
15 permit tcp host 49.1.1.2 eqwww any
20 deny ipv4 any any
!QOS class-map used in COA parameterized QOS requests
!remember that with pQOS you can define the policy-map via RADIUS,
!however you need to define your class-maps locally in XR.
class-map match-any VIDEO
match access-group ipv4 lab-video
end-class-map
!
class-map match-any 3play-voip
match access-group ipv4 telnet
end-class-map
!These are the class-maps used later in the control policy. You can
!match on various aspects of the interface/session. Like username,
!domain. In this case we have simple class-maps that match on the
!protocol so we are doing to differentiate between PPP and IPsubs
!
class-map type control subscriber match-any PPP
match protocol ppp
end-class-map
!
class-map type control subscriber match-any DHCP
match protocol dhcpv4
end-class-map
!
!In this sample class-map we are taking the username and apply a
!separator switch on it as defined in the “format DOMAIN” attribute
!definition and see if that domain name matches “vrf_vpn”
class-map type control subscriber match-any matchdomain
match domain vrf_vpn format DOMAIN
end-class-map
!
!This is the most important part, the XR control Policy.
policy-map type control subscriber sub
event session-start match-first
!
!Events: during the session life time, various events are triggered. !In this case a session-start event we provide a handler for. This is
!the reception of a PADI for pppoe sessions or a dhcp discover for IP
!sessions.
!The match-first describes that we are only handling one class of the !event, and the class that we match first.
!This as opposed to match-all, which means that we will traverse all
!classes to see if they match and execute the actions defined
!underneath the class.
!
Event | What does it do or when is it triggered? |
session-start | when we get the first sign of life (for pppoe that is at PADR) |
session-activate | This is done at the authentication phase – i.e. when we’ve got the username/password (or challenge/response) (PPPoE ONLY) |
authentication-failure* | when we receive an access-reject from radius |
authentication-no-response | when the method list for authentication request does not return any response (success/reject) |
authorize-failure* | when we receive an access-reject from radius |
authorize-no-response | when the method list for authen or author does not return any response (success/reject) |
service-stop | when a service that is applied to the session is removed or stopped |
class type control subscriber CLASS do-until-failure
!
!CLASS: Underneath that event, we define the classes. In this example
!I created 2 classes to match specifically on DHCP and PPP sessions.
!I can have 1 control policy with 1 event, and then the class
!differentiator to determine what I want to do specifically/separately
!for both session types.
!
Do until? | What does it do? |
do-until-failure | Until we receive a failure (eg access reject or no radius response or feature application failure) We stop the execution. |
do-until-success | When we successfully executed the task we stop. |
do-all | Regardless of the success or failure all actions are executed |
!
10 activate dynamic-template TPL
!
!Activation of the dynamic template configuration. PPP will take the !LCP parameters and auth protocol from there.
!
!Class-actions:
!
event session-activate match-first
class type control subscriber CLASS do-until-failure
10 activate dynamic-template TPL
20 authenticate aaa list default
- Authenticate: Use the username and password from the line and send it to the servers defined in the list
- Authorize: More flexible then authenticate, still the SAME radius request (access-request) but flexibly formatted with a username composed of different information such as domain, circuit-id, nas-port etc
Note: Because authenticate uses the line username, it is generally useless on the session-start event, the authorize with which you compose the username based on mac/circuit id etc is very useful in both session start and activate
!
!
end-policy-map
!
policy-map type control subscriber ipsub
event session-start match-first
class type control subscriber DHCP do-until-failure
10 authorize aaa list default identifier source-address-mac password cisco
! Use the authorize here to compose the username to be sent to
! radius. In this case we use pw cisco as the password.
!
end-policy-map
! Define the bundle-ether master and configure for destination ip
! based loadbalancing, this so each subscriber hashes all its traffic ! onto one member only for accurate QOS
interface Bundle-Ether100
bundle load-balancing hash dst-ip
! The IP session interface must have an ip address. This in order to
! accept ip packets, the dhcpdiscover.
! If the unicast flag is set, like in MAC OSX or WXP (IOS dhcp client
! leaves the broadcast flag), then this address MUST be the same as
! the subnet for the ip sessions. If it is not the same we can’t
! unicast the offer.
interface Bundle-Ether100.2
ipv4 address 87.78.77.1 255.255.255.0
service-policy type control subscriber ipsub_fancy_auth
encapsulation dot1q 2
ipsubscriber ipv4 l2-connected
initiator dhcp
initiator unclassified-source
!
! Define the bundle sub interface for the right vlan, enable for PPPoE
! via the bba-group and attach the control policy
interface Bundle-Ether100.20
service-policy type control subscriber sub
pppoe enable bba-group X
encapsulation dot1q 20
! Loopback interface for ppp sessions
interface Loopback1000
ipv4 address 101.101.1.1 255.255.255.255
!
interface GigabitEthernet0/0/0/19
! Enable LACP on the bundle member and set it to bundle-e100
bundle id 100 mode active
load-interval 30
!
interface GigabitEthernet0/1/0/19
! Enable LACP on the bundle member and set it to bundle-e100
bundle id 100 mode active
load-interval 30
Show command verification
RP/0/RSP0/CPU0:A9K-BNG#show subscr ses all det
Mon Nov 7 17:20:27.701 EDT
Interface: Bundle-Ether100.2.ip5
Circuit ID:
Remote ID: testme
Type: IP: DHCP-trigger
IP Address: 172.28.15.1, VRF: default
Mac Address: 0019.2f43.9a38
Account-Session Id: 00000044
Nas-Port: 67108896
Username: unknown
Subscriber Label: 0x00000044
Created: Thu Nov 3 16:26:33 2011
State: Activated
Authentication: unauthenticated
Access-interface: Bundle-Ether100.2
Policy Executed:
policy-map type control subscriber ipsub_fancy_auth
event Session-Start match-first [at Thu Nov 3 16:26:33 2011]
class type control subscriber DHCP do-until-failure [Succeeded]
5 activate dynamic-template IPSUB [Succeeded]
10 authorize aaa list default [Failed]
Session Accounting: disabled
Last COA request received: never
User Profile Attribute List: None
Interface: Bundle-Ether100.100.pppoe2
Circuit ID: Unknown
Remote ID: Unknown
Type: PPPoE:PTA
IP Address: 199.1.1.2, VRF: default
Mac Address: 0019.2f43.9a38
Account-Session Id: 00000145
Nas-Port: 67110466
Username: test
Subscriber Label: 0x00000145
Created: Thu Nov 3 16:28:10 2011
State: Activated
Authentication: authenticated
Access-interface: Bundle-Ether100.100
Policy Executed:
policy-map type control subscriber sub
event Session-Start match-first [at Thu Nov 3 16:28:10 2011]
class type control subscriber CLASS do-until-failure [Succeeded]
10 activate dynamic-template TPL [Succeeded]
event Session-Activate match-first [at Thu Nov 3 16:28:31 2011]
class type control subscriber CLASS do-until-failure [Succeeded]
10 activate dynamic-template TPL [Succeeded]
20 authenticate aaa list default [Succeeded]
Session Accounting: disabled
Last COA request received: never
User Profile Attribute List: 0x500c0d24
1: service-type len= 4 value= Framed
2: sub-qos-policy-out len= 5 value= shape
